CN110120934A - Method, software defined network controller and the medium of application firewall strategy - Google Patents

Method, software defined network controller and the medium of application firewall strategy Download PDF

Info

Publication number
CN110120934A
CN110120934A CN201811443201.3A CN201811443201A CN110120934A CN 110120934 A CN110120934 A CN 110120934A CN 201811443201 A CN201811443201 A CN 201811443201A CN 110120934 A CN110120934 A CN 110120934A
Authority
CN
China
Prior art keywords
application
firewall
signature
strategy
software defined
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811443201.3A
Other languages
Chinese (zh)
Other versions
CN110120934B (en
Inventor
库姆辛尼·瑞特纳辛哈姆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jungle Network
Juniper Networks Inc
Original Assignee
Jungle Network
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jungle Network filed Critical Jungle Network
Publication of CN110120934A publication Critical patent/CN110120934A/en
Application granted granted Critical
Publication of CN110120934B publication Critical patent/CN110120934B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0806Configuration setting for initial configuration or provisioning, e.g. plug-and-play
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/34Signalling channels for network management communication
    • H04L41/342Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/20Traffic policing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0254Stateful filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

This application involves the method for application firewall strategy, software defined network controller and media.Disclose a kind of software defined network (SDN) controller for executing the data center using aware firewall strategy.In one example, SDN controller receives example of the request to initialize application, and SDN controller sends message to the firewall component between the network being located in outside the SDN gateway and data center of data center in response to receiving request.In some instances, message includes and the corresponding application signature of example of application and application firewall strategy corresponding with application signature.Message indicates firewall component installation application firewall strategy to be applied to the network flow of the example of application.

Description

Method, software defined network controller and the medium of application firewall strategy
Technical field
The disclosure relates generally to computer networks, and relate more specifically to configure firewall plan in virtual network Slightly.
Background technique
Cloud data center is in the data for provide the access to the storage of virtualization applications, service and data for external client The heart.In typical cloud data center environment, there are a large amount of interlink servers, provide run various applications calculating (for example, Calculate node) and/or memory capacity.For example, cloud data center include for cloud data center client's trustship virtualization applications and The facility of service.For example, all infrastructure equipments of cloud data center trustship, such as, network and storage system, redundant power and Environmental Kuznets Curves.In typical cloud data center, the cluster of storage system and application server passes through by one or more layers physics The high-speed switch fabric interconnection that the network switch and router provide.More complicated cloud data center provides basis all over the world Facility, wherein subscriber's holding equipment is located in various physics trustship facilities.
Software defined network (SDN) platform can be used for cloud data center, and in some cases, logic can be used Upper concentration and the SDN controller physically dispersed and the distributed forwarding plane in virtual router, these virtual flow-lines The network of physical router and interchanger in cloud data center is extended to void of the trustship in virtualized server by device Quasi- overlay network.SDN controller provides management, control and the analytic function of virtualization network, and by logical with virtual router Letter carrys out layout virtual router.
Summary of the invention
Generally, the present disclosure describes the technology for applying aware firewall strategy is executed by the SDN controller of data center. In some instances, in response to receiving the request from the user for accessing the virtualization applications in cloud data center, SDN control Device is by the application example in the virtual machine executed in one or more calculate nodes of cloud data center.In instantiation process In, SDN controller, which specifically configures general and user, is applied to application, such as, network and firewall policy.Using possible quilt Repeatedly instantiation and destruction, require to reconfigure and re-apply network and firewall policy every time.According to the skill of the disclosure Art, SDN controller can determine the firewall policy of application, and be located at the SDN of data center using firewall policy configuration The firewall component of Gateway External.Firewall policy can be applied to the network flow of application by firewall component.
One example of technology disclosed herein includes executing in cloud data center using aware firewall strategy SDN controller.In one example, SDN controller receives request from user to initialize one or more in cloud data center The example of the application in one or more virtual machines executed in a calculate node.SDN controller slave firewall component request with The corresponding application signature of the example of application.SDN controller is retrieved from the application firewall policy library of SDN controller to be signed with application The corresponding application firewall strategy of name.SDN controller provides the application firewall strategy in firewall component, and firewall group Application firewall strategy is applied to the network flow of the example of application by part.Firewall component can be physical equipment or virtually set It is standby.In the example of virtual firewall, virtual firewall can reside in the cloud of cloud data center or the cloud of cloud data center Outside.In the example of physics fire wall, physics fire wall is present in outside the cloud of cloud data center, in the SDN net of cloud data center It closes between external network.In the example there is no SDN gateway, firewall can be located at the extranets of cloud and cloud data center Between pass.
In some instances, if there is no corresponding with application signature in the application firewall policy library of SDN controller Application firewall strategy, then SDN controller generates application firewall strategy corresponding with application signature.In other examples, SDN Controller receives application firewall strategy corresponding with application signature from manager.SDN controller deposits application firewall strategy Storage is in application firewall policy library, so that application firewall strategy can be used for the subsequent instance of application by SDN controller.
Therefore, when the example of SDN controller first time instantiation application, SDN controller is application build network and prevents Wall with flues strategy, and firewall component is configured so that such network and firewall policy are applied to application example and same application Subsequent instance.Therefore, SDN controller can create the centralized repository using specific firewall policy, and can answer in creation Configuration has the firewall component of the specific firewall policy of application as needed when example.The technology of the disclosure can letter Change the management and configuration of firewall component.Therefore, the technology of the disclosure can permit SDN controller and provide for configuring and executing The expansible and flexible method of firewall policy.
In one example, the present disclosure describes a kind of methods, this method comprises: by the software defined network of data center (SDN) controller receives example of the request to initialize application;And it is requested in response to receiving, from SDN controller to being located in Firewall component between network outside the SDN gateway of data center and data center sends message, message include: with The corresponding application signature of the example of application;And application firewall strategy corresponding with application signature, wherein message instruction fire prevention Wall component installs application firewall strategy to be applied to the network flow of the example of application.
In another example, the present disclosure describes a kind of software defined network of data center (SDN) controller, matched It is set to: receiving example of the request to initialize application;And it is requested in response to receiving, to the SDN gateway for being located in data center Firewall component between network outside equipment and data center sends message, and message includes: corresponding with the example of application Application signature;And application firewall strategy corresponding with application signature, wherein message indicates that firewall component installation application is anti- Wall with flues strategy is with the network flow of the example applied to application.
In another example, the present disclosure describes a kind of non-transitory computer-readable medium including instruction, these refer to The one or more processors for making to execute the center of software defined network (SDN) controller when executed are enabled to execute following item: Receive example of the request to initialize application;And requested in response to receiving, to be located in the SDN gateway of data center with Firewall component between network outside data center sends message, and message includes: application label corresponding with the example of application Name;And application firewall strategy corresponding with application signature, wherein message indicates that firewall component installs application firewall plan Network flow slightly to be applied to the example of application.
The exemplary details of one or more of the technology of the disclosure is elaborated in the accompanying drawings and the description below.These technologies Other features, purposes and advantages will become apparent by the description and the appended drawings and by claim.
Detailed description of the invention
Fig. 1 is the block diagram for showing the example network with data center, may be implemented to retouch herein in the data center The example for the technology stated.
Fig. 2 is the block diagram for illustrating in greater detail the sample implementation of data center of Fig. 1.
Fig. 3 is the exemplary block diagram that the control node of SDN controller is illustrated in greater detail according to the technology of the disclosure.
Fig. 4 is the block diagram for showing the sample implementation of firewall component, be may be implemented in the firewall component herein Described in technology example.
Fig. 5 is the flow chart that exemplary operations are shown according to the technology of the disclosure.
In all attached drawings and description, similar appended drawing reference indicates similar element.
Specific embodiment
Fig. 1 is the block diagram for showing the example network 5 with data center 10, wherein SDN controller 32 and 35, firewall According to the technical operation of this language description to provide the execution of the firewall policy using perception.Generally, data center 10 is logical Cross the operating environment that service provider network 6 is coupled to the offer application and service of client 4 of data center 10.10 support of data center Pipe infrastructure equipment, such as, network and storage system, redundant power and environmental Kuznets Curves.Service provider network 6 can couple To the one or more networks managed by other providers, and it therefore can form large-scale public network infrastructure A part of (for example, internet).
In some instances, data center 10 can indicate many one of network data centers being geographically distributed.Such as Fig. 1 Example shown in, data center 10 is to provide the facility of network service for client 4.Client 4 can be such as business and government Equal collectives' entity or individual.For example, network data center can be several enterprises and terminal user's hosted network services.Other Example of service may include data storage, Virtual Private Network, traffic engineering, file service, data mining, science or super meter Calculate etc..In some instances, data center 10 be individual networks server, network peer or other.
In this example, data center 10 includes by being provided by one or more layers physical network switch and router The one group of storage system and application server that high-speed switch fabric 21 interconnects.Server 26A-26X (" server 26 ") is with counting According to the calculate node at center.In some instances, term " calculate node " and " server " are used interchangeably herein to refer to For server 26.For example, each server 26 can be provided for executing one or more client's particular virtual machines (in Fig. 1 " VM ") operating environment.Switching fabric 21 (is referred to as " TOR exchange by frame top formula (TOR) the interchanger 24A-24N of one group of interconnection Machine 24 ") it provides, these interchangers are coupled to the distribution layer of posture interchanger 22A-22M (being referred to as " posture interchanger 22 ").Though So be not shown, but data center 10 can also include for example one or more non-edge interchangers, router, hub, gateway, Safety equipment (firewall, intrusion detection and/or intrusion prevention equipment etc.), server, terminal, calculating on knee Machine, printer, database, wireless mobile apparatus (such as cellular phone or personal digital assistant), wireless access point, bridge, electricity Cable modem, using accelerator or other network equipments.
In this example, the redundancy of TOR interchanger 24 and posture interchanger 22 to server 26 offer to IP structure 20 is (more Host) connection.22 polymerization traffic stream of posture interchanger simultaneously provides high speed connection between TOR interchanger 24.TOR interchanger 24 is The network equipment of the second layer (for example, MAC) and/or the 3rd layer (for example, IP) routing and/or function of exchange is provided.TOR interchanger 24 and posture interchanger 22 respectively include one or more processors and memory, and be able to carry out one or more software mistakes Journey.Posture interchanger 22 is coupled to IP structure 20, which executes the 3rd layer of routing to pass through service provider network 6 in number According to routing network traffic between center 10 and client 4.Software defined network (" SDN ") gateway 8 is used in IP structure 20 and service Forwarding and received data packet between provider network 6.
According to one or more examples of the disclosure, SDN controller 32 is provided in logic and in some cases physically The controller of concentration, for promoting the operation of one or more virtual networks in data center 10.Through the disclosure, term SDN controller and Virtual Network Controller (" VNC ") may be used interchangeably.In some instances, SDN controller 32 is in response to warp It is inputted from the received configuration of orchestration engine 30 by north orientation Application Programming Interface (API) 31 and operate, the interface and in response to from pipe The reason received configuration of device 28 is inputted and is operated.It is grasped together with network about being defined with the other equipment of data center 10 or other software The additional information of the SDN controller 32 of work can be entitled " for virtual network data packet stream what is submitted on June 5th, 2013 It being found in the international application no PCT/US2013/044378 of physical pathway determination ", this application is incorporated herein by reference, as It is fully set forth herein the same.
In some instances, orchestration engine 30 manages the function of data center 10, such as, calculating, storage, network and application Resource.For example, orchestration engine 30 can be interior for data center 10 or tenant's creation virtual network across data center.Orchestration engine 30 can be attached to virtual machine (VM) virtual network of tenant.The virtual network of tenant can be connected to certain by orchestration engine 30 A external network (for example, internet or VPN).Orchestration engine 30 can realize peace across one group of VM or to the boundary of tenant network Full strategy.Orchestration engine 30 can in the virtual network of tenant on-premise network service (for example, load balancer).
In some instances, SDN controller 32 manage network and network service (such as, load balance, safety) and Resource is distributed into various applications from server 26 via south orientation API 33.That is, south orientation API 33 indicates SDN controller 32 group communication protocols used, so that the virtual condition of network is equal to the expectation state specified by orchestration engine 30.For example, one Communication protocol as kind may include the messaging protocols such as XMPP.For example, SDN controller 32 is handed over by configuring physics It changes planes (for example, TOR interchanger 24, posture interchanger 22 and switching fabric 21), physical router, such as firewall and load are put down The Virtual Services such as the virtual firewall in the physical services such as weighing apparatus node and VM realize the height from orchestration engine 30 Grade request.SDN controller 32 safeguards routing, network and the configuration information in slip condition database.SDN controller 32 is by routing iinformation The agency of the virtual router (VR) on each server 26A-26X is transmitted to from slip condition database with the suitable subset of configuration information 36A-36X (" VA " in Fig. 1).
In general, the flow between any two network equipment is (such as, between the network equipment (not shown) in IP structure 20 Or the flow between server 26 and client 4 or between server 26) many different traversal path physical networks can be used. For example, there may be the identical several different paths of cost between two network equipments.In some cases, belong to from a net Network equipment to another network equipment network flow data packet can be used at each network switching node be referred to as it is more The routing policy of path routing is distributed between various possible paths.For example, Internet Engineering special project group (IETF) RFC 2992 " analysis of equal cost multipath algorithm " is described for the route technology along multiple equal cost paths routing data packets. The technology of RFC 2992 analyzes a kind of specific Multi-path route strategy, which is related to through hash data packet head field By flow point dispensing branch mailbox, all data packets from particular network stream are sent by single certainty path.
For example, " stream " five values as used in packet header (or " five-tuple ", that is, agreement, source IP address, Target ip address, source port and target port) it limits, it is used to route data packet by physical network.For example, agreement is specified logical Believe agreement (such as, TCP or UDP), source port and target port refer to the source port and target port that connect.Match specific stream One or more packet data units (PDU) of one group of entry indicate stream.Any parameter that PDU can be used is come widely Stream is classified, such as, source and destination data link (for example, MAC) and the address network (for example, IP), virtual LAN (VLAN) net of label, transport layer information, multiprotocol label switching (MPLS) or general MPLS (GMPLS) label and receiving stream The ingress port of network equipment.For example, stream can be all PDU sent in transmission control protocol (TCP) connection, by specific All PDU, all PDU with identical VLAN tag or connect at same switch port that MAC Address or IP address are initiated All PDU received.
As described herein, each server 26 includes corresponding virtual router (" VR " in Fig. 1), is data center Correspondence virtual network in 10 executes multiple routing instances, and routes a data packet in the operating environment that server provides and hold Capable appropriate virtual machine.It for example can be with from the received data packet of bottom physical network arrangement by the virtual router of server 26A Including external header, to allow physical network arrangement that payload or " internal data packet " tunnel are transmitted to for executing virtually The physical network address of the network interface of the server 26 of router.External header not only may include the network interface of server Physical network address, can also include virtual network identifier (such as, VxLAN label or multiprotocol label switching (MPLS) Label), one of identification virtual network and the correspondence routing instances executed by virtual router.Internal data packet includes inside Header, the inner header have the purpose in the virtual network addressing space for meeting the virtual network by virtual network identifier identification Ground network address.
In some respects, virtual router buffered before being delivered to for the appropriate routing instances of data packet and polymerize from The received multiple channel packages (tunneled packet) of bottom physical network arrangement.That is, on one of server 26 The virtual router of execution can be from the inbound channel package of 24 received data packet stream of TOR interchanger, and by channel package It is routed to before the virtual machine locally executed, treatment channel package is to construct the single converging channels envelope for being forwarded to virtual machine Packet.That is, virtual router can buffer multiple inbound channels package and construct single channel package, plurality of channel The payload of package is combined into single payload, and the outside on the package of channel/covering header is removed and replaced For single header virtual network identifier.In this way, converging channels package can be forwarded to virtual machine by virtual router, It just look like that receive single inbound channel package from virtual network the same.In addition, in order to execute converging operation, virtual router can To utilize the unloading engine based on kernel, the engine is seamless and the automatically polymerization of guiding channel package.Entitled " for virtual Virtual router is described in the U.S. Patent application 14/228,844 of the data packet segmentation offloading of network " to forward the traffic to Other example techniques of the client's particular virtual machine executed on server 26, it is incorporated herein by reference.
In the example of fig. 1, SDN controller 32 learns and will route to be distributed to number with other information (such as configuration information) According to all calculate nodes in center 10.When receiving routing iinformation from SDN controller 32, the VR that is run in calculate node Agency 36 is usually programmed data forwarding elements (virtual router) with forwarding information.SDN controller 32 is using such as The messaging protocols such as XMPP protocol rather than the more heavyweight such as use the Routing Protocol of similar Border Gateway Protocol (BGP) Agreement is acted on behalf of 36 transmission routings and configuration information to VR.In XMPP, SDN controller 32 and agency are transmitted by same channel Routing and configuration.When receiving virtual flow-line from VR agency 36, SDN controller 32 is used as messaging protocol client, and And VR agency 36 is used as messaging protocol server in this case.In contrast, when SDN controller is sent to VR agency 36 When routing, SDN controller 32 is used as the messaging protocol service for the VR agency 36 as messaging protocol client Device.
Firewall 35 by firewall policy be applied to the one or more application that is executed on the virtual machine of server 26 with It is flowed between other equipment (being such as connected to those of data center 10 via service provider network 6) outside data center 10 Dynamic network flow.Complicated safety regulation may be implemented in firewall 35, is provided with entering in network flow by data center 10 Private clound (for example, be used for IT department) or the mixed cloud that is provided by data center 10 (for example, using public cloud and private clound Combined cloud) allow or prevent the network flow outside data center 10 before.In the example of fig. 1, firewall 35 is located at SDN The external side of gateway 8, for example, network (such as service provider network 6) outside SDN gateway 8 and data center 10 Between upstream router.In other examples, firewall 35 executes calculating equipment (such as server as data center 10 26) virtual network function (VNF) on cluster.
In some instances, firewall 35 enforces each firewall policy in port and protocol rank.Show at other In example, firewall 35 enforces each firewall policy (for example, can permit Hyper text transfer in the 7th layer of application level of OSI Agreement (HTTP) flow, while preventing Secure Socket Layer (SSL) flow).In one example, each firewall policy limits more A network flow rule.In some instances, firewall 35 can be based on 5 tuples rule (for example, the 3rd layer or the 4th layer fire prevention Wall), based on accesses control list (ACL) or based on 5 tuples and application identifier (ID) or signature (for example, the 7th layer of fire prevention Wall) prevent flow.Each network flow rule may include at least one source IP address, at least one source port, at least one A destination IP address, at least one destination port, agreement;Can specify whether network flow rule is based on application;Side To (for example, entrance or rate of discharge);And it can further specify that pattern-matching rule (for example, regular expression).One In a little examples, network flow rule further from source and can go to the network flow of destination and specify corresponding license Movement (for example, prevent flow, allow flow, record flow or report flow to manager).
In some instances, the source of network flow and the destination of network flow be by one or more network address and/ Or one or more subnets expressions.For example, being based on firewall policy, firewall 35 can be prevented or be allowed flow into or from one The network flow of a or multiple applications.For example, being based on the first firewall policy, firewall 35 can prevent to be originated from the first firewall The specified one or more addresses of strategy and destination are the network flow of one or more application.As another example, it is based on Second firewall policy, firewall 35 can permit the one or more addresses specified from the second firewall policy and destination For the network flow of one or more application.As another example, it is based on third firewall policy, firewall 35 can prevent source From one or more application and using the specified one or more addresses of third firewall policy as the network flow of destination.As Another example, is based on the 4th firewall policy, and firewall 35 can permit from one or more application and with the 4th firewall The specified one or more addresses of strategy are the network flow of destination.
In some instances, firewall 35 is that data center 10 executes data packet forwarding and Packet Filtering service.One In a little examples, firewall 35 is physics fire wall component and the combination including hardware or hardware and software.In other examples, Firewall 35 is virtual firewall component and the software including executing on one or more virtual machines, and in some cases Under, (multiple) virtual machine may reside in the equipment outside cloud and route in the upstream of SDN controller 23 and external network Between device.In some instances, firewall 35 is a part of the foundation structure of data center 10.In other examples, it prevents fires Wall 35 is operated by the third party on the network that separates with data center 10.
According to the technology of the disclosure, SDN controller 32 is the firewall policy that cloud data center 10 practices perception It executes.In one example of the technology being described herein, data center 10 provides private clound to one or more clients 4, and And installation application, creation tenant and instantiation virtual machine can be enabled to execute application as required.SDN controller 32 Can with application network permit or firewall policy come control which client it is accessible which application.In one example, SDN is controlled Device 32 processed determines the firewall policy for application, and is located at outside the SDN gateway 8 of data center 10 using firewall policy configuration The firewall 35 in portion.Firewall policy can be applied to the network flow of application by firewall 35.
The SDN gateway application executed on SDN gateway 8 can with authorized user (such as, one outside data center 10 or Multiple clients 4) pass through firewall 35 and the access of SDN gateway 8 data center 10.10 (example of data center is authorized in client 4 Such as, client 4 belongs to the secure group for being authorized to the application of data center) after, SDN controller 32 is received from client's 4 Request, to access the application provided by data center 10.In response to the request, virtual machine of the SDN controller 32 in server 26A The interior example for instantiating the application.In alternative exemplary, example that SDN controller 32 instantiates application in container.Using can It include: one or more network-based applications, such as, web browser or e-mail applications;Nesting application, such as, depending on Frequency levelling platform or social media platform;Evade application (for example, application that dynamic changes port);Or other kinds of application.? In instantiation process, SDN controller 32, which specifically configures general and user, is applied to application example.
In addition, SDN controller 32 can inquire application signature corresponding with application example to firewall 35, such as, if The record for the application signature that SDN controller 32 is applied not yet.In some instances, application signature is using exclusive mark Symbol.For example, application signature can describe the type of application or the version number of application, distinguished so as to apply with other application It opens.As shown in fig. 1, in response to inquiry, firewall 35 sends the message 36 including application signature to SDN controller 32.
SDN controller 32 retrieves application firewall strategy corresponding with application signature from application firewall policy library 38.? In some examples, it is key that application firewall policy library 38, which is by application signature and application firewall policy store: the number being worth pair According to library.In other words, application signature can be used to retrieve application firewall plan corresponding with application signature in SDN controller 32 Slightly.SDN controller 32 for example by via such as network configuration protocol (NETCONF) Network Management Protocol send message 37 come Application firewall strategy is provided to firewall 35.In some instances, SDN controller 32 is that firewall 35 provides one or more Application firewall strategy, so that the firewall rule of application firewall strategy is applied to the network flow of application example by firewall 35 Amount.Such firewall rule may include based on " 5 tuple " rule, the rule of ACL or other firewall filterings.In addition, using Firewall policy can limit the firewall rule based on application signature.
In some instances, SDN controller 32 can receive the session that user is over he or she and application from user Instruction.In response to the instruction, application example is destroyed or deallocated to SDN controller 32.In addition, the configuration of SDN controller 32 is anti- Wall with flues 35 is to remove application firewall strategy corresponding with the application signature of application example.For example, SDN controller 32 is to firewall 35 send message, and instruction firewall 35 deletes the application firewall plan of application corresponding with application signature from the strategy that it is stored Slightly.
In some instances, application firewall policy library 38 does not include application firewall strategy corresponding with application signature. In one example, SDN controller 32 is for example in response to determining that it is corresponding with application signature that application firewall policy library 38 does not include Application firewall strategy, generate corresponding with application signature application firewall strategy.For example, SDN controller 32 can be used General purpose firewall template including one or more general purpose firewall strategies generates application firewall corresponding with application signature Strategy.In other examples, SDN controller 32 inquires application firewall strategy corresponding with application signature to manager.SDN control Device 32 processed by newly created application firewall policy store in application firewall policy library 38 so that SDN controller 32 can be with Application firewall strategy is used for the subsequent instance of the application.
In this way, in some instances, when SDN controller 32 instantiates the example of application for the first time, SDN control Device 32 is the application build network and firewall policy.In addition, SDN controller 32 configures firewall 35 with by this network and anti- Wall with flues strategy is applied to the subsequent instance of application example and same application.Therefore, SDN controller 32 can be created using specific Firewall policy centralized repository, and can configuration has the specific fire prevention of application as needed in the example of creation application The firewall 35 of wall strategy.The technology of the disclosure can simplify the management and configuration of firewall component (such as, firewall 35).Cause This, the technology of the disclosure can permit SDN controller 32 and provide for configuring and executing the expansible and flexible of firewall policy Method.
Fig. 2 is the block diagram for illustrating in greater detail the sample implementation of data center 10 of Fig. 1.In the figure 2 example, SDN controller 32 includes one or more analysis node 50A-50X (being referred to as " analysis node 50 "), one or more configuration sections Point 52A-52X (being referred to as " configuration node 52 ") and control node 54A-54X (being referred to as " control node 54 ").Generally, it saves Each of point 50,52 and 52 can be implemented as individual software process, and these nodes can be across offer for executing Multiple hardware computing platforms of the environment of software are distributed.In addition, each node maintenance status data 56, status data be can store In centralized or distributed database.In some instances, slip condition database 56 is NoSQL database.In some instances, Slip condition database 56 is data-base cluster.
Generally, the task of analysis node 50 be collect, storage, association and analyze virtual in data center 10 and The information of physical network elements.The information may include the statistics of the routing and network configuration for managing data center 10, day Will, event and mistake.Analysis node 50 stores that information in slip condition database 56.
Configuration node 52 by the high-level data model conversion of orchestration engine 30 at be suitable for network element (such as, physics 22,24 and VR of interchanger acts on behalf of the lower level model of 36) interaction.Configuration node 52 keeps SDN to control in slip condition database 56 The persistent copy of the configuration status of device 32.
Control node 54 realizes the Logical central control plane for being responsible for the of short duration network state of maintenance.Control node 54 is handed over each other Mutually and with network element (such as server 26 VR agency 36 and virtual router 42) interact, with ensure network state finally with The specified expectation state of orchestration engine 30 is consistent.Generally, control node 54 receives matching for SDN controller 32 from configuration node 32 Status information is set, and exchanges routing each other via IBGP to ensure all control nodes 54 network state having the same.This Outside, control node 54 is come to exchange routing with the VR agency 36 on server 26 via XMPP.Control node 54 is also by configuration status Information (such as, routing instances and forwarding strategy) is for example transmitted to VR agency 36 via XMPP, corresponding virtual to be mounted on In router 42.In some instances, control node 54 can act on behalf of flow with representative server 26.It can be received by XMPP These proxy requests.In addition, control node 54 is come to exchange routing with SDN gateway 8 via BGP, and come and service via NETCONF The configuration status of the exchange SDN controller 32 of node 21.
Configuration node 52 provides the service of exploration, and it is available various in network to position that the exploration service can be used in client 4 Service.For example, if VR acts on behalf of 36A, trial is connect with control node 54A, the exploration service that it is provided using configuration node 52 To explore the IP address of control node 54A.The client executed on VM 48 can be used be locally configured, DHCP or DNS come Service discovery server is positioned in configuration node 52.
In some instances, the north orientation API docked with orchestration engine 30 is presented in configuration node 52.Orchestration engine 30 uses should Interface installs configuration status using high-level data model.Configuration node 52 further includes messaging bus, with promote internal component it Between communication.Configuration node 52 further includes converter, finds the variation in the high level model of orchestration engine 30 and becomes these Change the corresponding change in the low level data model for being transformed to be managed by SDN controller 32.Configuration node 52 further includes IF-MAP clothes Business device provides south orientation API so that the low-level configuration of calculating is pushed to downwards control node 54.In addition, configuration node 52 includes Distributed application manager, distributed application manager is for distributing exclusive object identifier and realizing thing across data center 10 Business.
According to the technology of the disclosure, one or more control nodes 54 of SDN controller 32 are the implementation of cloud data center 10 Using the execution of the firewall policy of perception.In one example, one or more control nodes 54 are from user (such as client 4 One of) receive the request that the application provided by data center 10 is provided.In response, one or more control nodes 54 are by XMPP Message is sent to server 26A, to indicate that the VM 48 of server 26A executes the example applied.In instantiation process, one Or general and user can specifically be configured and be applied to application example by multiple control nodes 54.
In addition, one or more control nodes 54 for example send firewall 35 for inquiry 202 via REST be used for The corresponding application signature of application example.In response to inquiry 202, firewall 35 to one or more control nodes 54 offer include with The response 204 of the corresponding application signature of application example.One or more control nodes 54 are retrieved from application firewall policy library 38 Application firewall strategy corresponding with application signature.It includes application fire prevention that one or more control nodes 54 are sent to firewall 35 The NETCONF message 206 of wall strategy.In other examples, one or more control nodes 54 will include application firewall strategy Configuration information be pushed directly to firewall 35.Application firewall strategy is applied to the network flow of application example by firewall 35 Amount.Although one or more control nodes 54 and firewall 35 form message using NETCONF agreement in aforementioned exemplary 202,204 and 206, but in other examples, other agreements can be used in one or more control nodes 54 and firewall 25 Form message 202,204 and 206, such as, BGP, Google remote procedure call (" gRPC "), OpenConf, REST, RESTCONF, OpenFlow, OpenConfig, Simple Network Management Protocol (SNMP), XMPP or other kinds of open source are general RPC frame.
In some instances, one or more control nodes 54 can from user receive user have finished on he or she with The instruction of the session of application, or can receive using the instruction terminated.In response to the instruction, one or more control section Application example is destroyed or deallocated to point 54.Disappear in addition, one or more control nodes 54 send NETCONF to firewall 35 Breath, the message make firewall 35 remove application firewall strategy corresponding with the application signature of application example.
In some instances, application firewall policy library 38 does not include application firewall strategy corresponding with application signature. In one example, one or more control nodes 54 generate application firewall strategy corresponding with application signature.For example, one Or multiple control nodes 54 the general purpose firewall template including one or more general purpose firewall strategies can be used limit with The corresponding application firewall strategy of application signature.In other examples, one or more control nodes 54 to manager inquiry with The corresponding application firewall strategy of application signature.For example, one or more control nodes 54 can provide user interface, manager User interface can be used limit with application signature using corresponding application firewall strategy.Via user interface After receiving the data for limiting application firewall strategy, one or more control nodes 54 exist application firewall policy store In application firewall policy library 38.Application firewall strategy can be reused for same application by one or more control nodes 54 Subsequent instance.
Therefore, using the technology of the disclosure, when one or more control nodes 54 instantiate the example of application for the first time, The one or more control node 54 is application build network and firewall policy, stores the policies into the strategy in application firewall Library 38 simultaneously configures firewall 35 so that this network and firewall policy to be applied to the subsequent reality of application example and same application Example.This technology described herein can be used to create using specific firewall policy in one or more control nodes 54 Centralized repository, and can to use the firewall policy specific to application as needed anti-to configure in the example of creation application Wall with flues 35.The technology of the disclosure can simplify the management and configuration of firewall component.Therefore, the technology of the disclosure can permit SDN controller (such as, SDN controller 32) provides the expansible and flexible method for configuring and executing firewall policy.
The framework of data center 10 shown in Fig. 2 is shown merely for exemplary purpose.It can be in the sample data of Fig. 2 Technology described in the disclosure is realized in center 10 and other kinds of data center not specifically described herein.This public affairs Any content in opening all is not necessarily to be construed as the technical restriction of the disclosure in exemplary architecture shown in Fig. 2.
Fig. 3 is the exemplary block diagram that the control node of SDN controller is illustrated in greater detail according to the technology of the disclosure.Control Node 54 is configured as communicating with multiple other kinds of nodes, these nodes include configuration node 52A-52X (" configuration node 52 "), other control nodes 54B-54X, calculate node 62A-62X (" calculate node 62 ") and gateway node 72A-72N (" gateway node ").Control node 54A is that agreement 70 provides the operating environment of execution.Agreement 70 may include such as XMPP process 70A, NETCONF protocol procedures 70B, BGP process 70C and IF-MAP process 70D.In addition, control node 54A includes fire prevention wall coil Device process 74 is managed, for configuring firewall 35 using application firewall strategy.
Control node receives configuration status from configuration node using IF-MAP.Control node is controlled using IBGP with other Node switching routing, to ensure all control nodes network state having the same.Control node is saved using XMPP with calculating VRouter agency's exchange routing on point.Control node also uses XMPP to send configuration status, such as, routing instances and forwarding Strategy.Control node represents calculate node to act on behalf of certain form of flow.These proxy requests are received also by XMPP.Control Node exchanges routing with gateway node (router and interchanger) using BGP.Control node also uses NETCONF to send configuration State.
Control node 54A is using interface to metadata access point (IF-MAP) process 70D from one in configuration node 52 Or multiple configuration nodes receive configuration information.IF-MAP process 70D may include the circuit for executing software instruction, these are soft Part is instructed for sending and receiving communication from configuration node 52 according to IF-MAP agreement.IF-MAP process 70D will be from configuration node 52 received configuration informations are stored to configuration status 66 (" configuration status 66 ").
Control node 54A uses BGP process 70C and bgp peer (including control node 54B-54X and gateway node 72) Exchange BGP message.Gateway node 72 may include one or more SDN gateways, such as, SDN gateway 8.BGP process 70C can be with Including the circuit for executing software instruction, these software instructions according to bgp protocol using control node 54B-54X for being sent With reception BGP message.BGP process 70C will be received from from the bgp route advertisement of gateway node 72 and control node 54B-54X Routing iinformation storage to routing iinformation 65.
Control node 54A exchanges message with calculate node using XMPP process 70A according to XMPP.Control node 54A via XMPP session 64A-64B (" XMPP session 64 ") exchanges message.Calculate node 62 can correspond to the server 26 of Fig. 1 to Fig. 3. XMPP process 70A may include the circuit for executing software instruction, these software instructions by according to XMPP protocol come with based on Operator node 62 exchanges XMPP message.In March, 2011 P.Saint-Andre scalable message transmitting and there are agreements (XMPP): XMPP being described in further detail, entire contents are incorporated herein by reference in Core, IETF RFC 6120.
Depending on context, the control node 54A XMPP process 70A of control node 54A (and more specifically) can be used Make the XMPP client or XMPP server relative to one of calculate node 62.For example, control node 54A may be used as XMPP clothes Business device, and calculate node 62 can be the information (use such as, from configuration status 66 subscribed to and issued by control node 54A In the configuration information of each calculate node 62 and routing iinformation from the routing iinformation 65 for belonging to each calculate node 62) XMPP client.As another example, control node 54A may be used as calculating the one or more as XMPP server The XMPP client of node 62, wherein control node 54A subscribes to the information issued by calculate node 62, such as, by calculate node 62 routing iinformations known from other sources.XMPP process 70A is received from calculate node 62A via XMPP session 64A and is routed, and will Routing iinformation 65 is arrived in routing storage.BGP process 70C, and BGP process can be leaked to by the routing that XMPP process 70A learns 70C successively can send bgp route advertisement to its bgp peer, these notices, which are noticed via XMPP from calculate node 62, to be known Routing iinformation 65.In some instances, the NETCONF process 70B of control node 54A enable control node 54A via NETCONF agreement to communicate with gateway node 72.
According to the technology of the disclosure, control node 54A using firewall manager 74 by gateway 72 (for example, via NETCONF) come to exchange message with firewall 35.In other examples, control node 54A is using firewall manager 74 via another One communication protocol (such as, BGP, gRPC, OpenConf, REST, RESTCONF, OpenFlow, OpenConfig, SNMP, XMPP Or the other kinds of general RPC frame of open source) to exchange message and application signature with firewall 35.In some instances, it controls Node 54A exchanges message with firewall 35 via HTTP/2 bidirectional flow using firewall manager 74.In one example, it controls Node 54A processed sends the inquiry of application signature corresponding with application example via REST to firewall 35.Gateway node 72N is received Firewall 35 is inquired and forwards the query to, firewall, which is provided via gateway 72N to firewall manager 74, includes and using real The response of the corresponding application signature of example.Control node 54A is inquired using firewall manager 74 to application firewall policy library 38 Application firewall strategy corresponding with application signature.Control node 54A is received from application firewall policy library 38 and application signature Corresponding application firewall strategy.Control node 54A is prevented fires using firewall manager 74 with application corresponding with application signature Wall strategy configures firewall 35.For example, control node 54A includes to the transmission of firewall 35 via agreements such as NETCONF The message of application signature and application firewall strategy corresponding with application signature.In response to receiving the message, firewall 35 is pacified Application firewall strategy corresponding with application signature is filled, and application firewall strategy is applied to the network flow of application example.
In some instances, control node 54A receives the finger that user is over he or she and the session applied from user Show.In response to the instruction, control node 54A destroys or deallocates application example.In addition, control node 54A is to firewall 35 Message is sent, which makes firewall 35 remove application firewall strategy corresponding with the application signature of application example.
In some instances, application firewall policy library 38 does not include application firewall strategy corresponding with application signature. In this example, control node 54A using firewall manager 74 come to application firewall policy library 38 inquiry and application signature Corresponding application firewall strategy.It is anti-not comprising such application that control node 54A receives instruction application firewall policy library 38 The BGP message of wall with flues strategy.In one example, control node 54A is generated and application signature using firewall manager 74 Corresponding application firewall strategy.For example, firewall manager 74 may include general purpose firewall template comprising one or more The one or more general purpose firewall strategy can be used to limit and apply label in a general purpose firewall strategy, control node 54A The corresponding application firewall strategy of name.
In other examples, control node 54A inquires application firewall strategy corresponding with application signature from manager.Control Node 54A processed receives application firewall strategy corresponding with application signature via user interface 76.In some instances, Yong Hujie Face 76 is graphic user interface, and in other examples, user interface 76 is Command Line Interface.In some instances, control section The one or more application provided by the virtual machine of the server 26 of Fig. 1 is presented via user interface 76 by point 54A.Control node 54A receives the selection to one or more application from manager and via user interface 76.In response to the selection, control node 54 Interface is provided via user interface 76, it includes one or more nets for selected application that interface restriction, which can be used, in manager The one or more application firewall policy of network flow rule.Control node 54 receives and application signature pair via user interface 76 The restriction application firewall strategy answered.
After defining application firewall strategy, control node 54A uses firewall manager 74 to application firewall Policy library 38 sends the BGP message including application signature and application firewall strategy.Application firewall policy library 38 will be using label Name and application firewall policy store are for the subsequent key used: value pair.In addition, control node 54A uses fire prevention wall coil Reason device 74 has the firewall 35 of the application firewall strategy newly limited as described above to configure.Therefore, control node 54A can Known with executing the application signature of new opplication signature, limit application firewall strategy corresponding with new opplication signature and is same The subsequent instance of one application reuses the application firewall strategy of restriction.
In some instances, application firewall policy library 38 is remained the one of the status data 56 of Fig. 2 by control node 54A Part.In some instances, application firewall policy library 38 is stored in centralized or distributed database by control node 54A In.In some instances, application firewall policy library 38 is the NoSQL database in data center 10.In some instances, it answers With the data-base cluster that firewall policy library 38 is in data center 10.
Therefore, control node 54A is application build network and firewall policy using firewall manager 74, and is being applied Associated strategy is stored in firewall policy library 38.In addition, control node 54A configures fire prevention using firewall manager 74 Wall 35 is to be applied to the example of application and the subsequent instance of same application for this network and firewall policy.Therefore, it controls Firewall manager 74 and application firewall policy library 38 can be used to create using specific firewall policy in node 54A Centralized repository, and the firewall policy specific to application can be used as needed in the example of creation application to configure fire prevention Wall 35.
Fig. 4 is the block diagram for showing the sample implementation of firewall 35, be may be implemented in the firewall described herein Technology example.In the example of fig. 4, firewall 35 include application signature service 402, application firewall policy service 404, Application firewall policy library 406 and data packet forwarding component (PFC) 408.In some instances, in addition to provide firewall services it Outside, firewall 35 also executes packet-switching, routing or filtering function.In some instances, firewall 35 is physics fire wall Component and combination including hardware or hardware and software.In other examples, firewall 35 be virtual firewall component and Including the software executed on one or more virtual machines.In some instances, firewall 35 is the basis knot of data center 10 A part of structure.In other examples, firewall 35 is operated by the third party on the network that separates with data center 10.
According to the technology of the disclosure, firewall 35 disappears from the REST for the application signature that SDN controller 32 receives request application Breath, and responded with the message of the application signature of the specified application of instruction.In the example of fig. 4, firewall 35 uses agreement 470 One or more of (such as, gRPC agreement 470A, NETCONF agreement 470B, bgp protocol 470C, OpenConf agreement One or more of 470D, REST agreement 470E or RESTCONF agreement 470F) disappear to handle from SDN controller 32 is received Breath.In some instances, application firewall policy service 404 determines the application signature that the received message request of institute is applied.It is connect The message of receipts can specify the title of the application of request application signature.
In response to the received message of institute, application signature service 402, which generates, applies exclusive identifier, and uses the identifier As application signature.In other examples, application signature service 402 determines exclusive information (such as, the class of application about application The version number of type or application), and application signature is generated using the exclusive information.In some instances, application signature is application Type or application version number.Application signature service 402 generate include with using corresponding application signature message, and via REST agreement 470B sends a message to SDN controller 32.In other examples, application signature service 402 is via another agreement (such as via gRPC or via HTTP/2 bidirectional flow) sends a message to SDN controller 32.
In another example, application signature service 402 detects the flow of unknown applications and develops the application label of unknown applications Name.For example, application signature service 402 can know the new opplication signature of new attack.In such an example, application signature service The behavior of 402 monitoring unknown applications is to generate using exclusive identifier.Application signature service 402 uses the identifier as answering With signature.In some instances, application signature service 402 will be obtained via the message (for example, REST message) of specified application signature The application signature known is supplied to SDN controller 32.This allows SDN controller 32 to update application firewall policy library 38 to include new Application signature, allow the more recent application signature holding of SDN controller 42 and firewall 35 synchronous.
In another example, firewall 35 receives specified application signature from SDN controller 32 and one or more application is anti- The message (for example, NETCONF message) of wall with flues strategy, to be used together with the application example for corresponding to application signature.In response to The message is received, application firewall policy service 404 will one or more application firewall policy corresponding with application signature (for example, as key: value to) is stored in application firewall policy library 406, and then by one or more application firewall Strategy is applied to the network flow of application corresponding with application signature.
For example, the PFC 408 of firewall 35 receives one or more network flows of application example via inbound 410A Measure one or more data packets of stream.Application firewall policy service 404 is that one or more application firewall plan is applied in application Slightly, and by the storage of application firewall policy library 406 to one or more data packets.For example, PFC 408 is via outbound link 410B Forward the data packet of the one or more network flow streams allowed by one or more application firewall policy.In addition, PFC 408 Abandon the data packet for the one or more network flow streams forbidden by one or more application firewall policy.
In another example, firewall 35 receives specified application signature from SDN controller 32 and indicates that firewall 35 removes The message (for example, NETCONF message) of one or more application firewall policy corresponding with the application signature.In response to being connect The message of receipts, application firewall policy service 404 stop being applied to one or more application firewall policy to sign with the application The network flow of the corresponding application of name.Application firewall policy service 404 is removed from application firewall policy library 406 and is answered with this With corresponding one or more application firewall policy of signing.
Fig. 5 is the flow chart that exemplary operations are shown according to the technology of the disclosure.For convenience, Fig. 5 is described with reference to Fig. 1.
In the example of hgure 5, SDN controller 32 receives the request (502) of initialization application example.In response to the request, The application is instantiated in the virtual machine that SDN controller 32 executes on the server 26 of data center 10.In instantiation process, General and user is specifically configured (such as, network and firewall policy) and is applied to application by SDN controller 32.
32 slave firewall 35 of SDN controller requests application signature (504) corresponding with application example.In the example of hgure 5, Firewall 35 is located between the SDN gateway 8 and service provider network 6 of data center 10.Firewall 35 provides application signature To SDN controller 32.In some instances, SDN controller 32 sends looking into for request application signature to firewall 35 via REST It askes.32 slave firewall 35 of SDN controller receives the REST including requested application signature and responds.
SDN controller 32 retrieves application firewall strategy corresponding with application signature from application firewall policy library 38 (506).In one example, each application firewall strategy limits multiple network flow rules.Each network flow rule can With include at least one source, at least one destination and be originated from source and go to destination network flow corresponding license it is dynamic Make (for example, prevent flow, allow flow, record flow or report flow to manager).SDN controller 32 is sent out to firewall 35 Message is sent, which indicates that firewall 35 installs application firewall strategy and application firewall strategy is applied to application example Network flow (508).For example, SDN controller sends NETCONF message to firewall 35, which specifies application signature and refers to Show that firewall 35 is that application firewall strategy is installed in application corresponding with application signature.
Technology described in the disclosure may be at least partially implemented in hardware, software, firmware or any of above combination. For example, the various aspects of described technology can be realized in one or more processors, processor includes one or more micro- Processor, digital signal processor (DSP), specific integrated circuit (ASIC), field programmable gate array (FPGA) or it is any its Any combination of his equivalent integrated or discrete logic and such component.Term " processor " or " processing circuit " are total It may refer to any one of foregoing logic circuitry on body, individually or with other logic circuits combine or any other equivalent electricity Road.Control unit including hardware can also execute one or more of technologies of the disclosure.
Such hardware, software and firmware may be implemented in the same device or in different equipment, to support this public affairs Various operations and functions described in opening.In addition, any described unit, module or component can together or separately as The logical device of independent component but cooperating is realized.The purpose that different characteristic is described in the form of module or unit is prominent In terms of different function and do not necessarily imply that these modules or unit must be realized by individual hardware or component software.Phase Instead, function associated with one or more modules or unit can be executed or be integrated in by individual hardware or component software In the component in hardware or software collectively or individually.
It is including computer-readable medium (such as, the meter of instruction that technology described in the disclosure, which can also be embodied or be encoded, Calculation machine readable storage medium storing program for executing) in.The instruction for embedding or encoding in a computer-readable storage medium can make programmable processor Or other processors for example execute method when instruction execution.Computer readable storage medium may include random access memory (RAM), read-only memory (ROM), programmable read only memory (PROM), Erasable Programmable Read Only Memory EPROM (EPROM), electricity Erasable Programmable Read Only Memory EPROM (EEPROM), flash memory, hard disk, CD-ROM, floppy disk, cassette tape, magnetic medium, optics are situated between Matter or other computer-readable mediums.
Various examples have been described.These and other examples are within the scope of the appended claims.

Claims (22)

1. a kind of method of application firewall strategy, comprising:
Example of the request to initialize application is received by the software defined network controller of data center;And
In response to receiving the request, from the software defined network controller to the software definition for being located in the data center Firewall component between network outside network gateway device and the data center sends message, and the message includes:
Application signature corresponding with the example of the application;And
Application firewall strategy corresponding with the application signature,
Wherein, the message indicates that the firewall component installs the application firewall strategy to be applied to the institute of the application State the network flow of example.
2. according to the method described in claim 1, further include:
Institute corresponding with the example of the application is requested from the firewall component by the software defined network controller State application signature;And
It is retrieved from the application firewall policy library of the software defined network controller by the software defined network controller The application firewall strategy corresponding with the application signature, the application firewall strategy to be applied to the application institute State the network flow of example.
3. according to the method described in claim 2, further include:
Determine that the application firewall policy library does not include corresponding with the application signature by the software defined network controller The application firewall strategy;
The application firewall strategy is generated by the software defined network controller;And
By the application firewall policy store in the application firewall policy library.
4. according to the method in claim 2 or 3, further includes:
The data for limiting the application firewall strategy are received by the software defined network controller;And
By the application firewall policy store in the application firewall policy library.
5. according to the method in claim 2 or 3, wherein the example of the application includes the first reality of the application Example, and the application signature corresponding with the example of the application includes corresponding with first example of the application The first application signature,
The method also includes:
Request is received to initialize the second example of the application by the software defined network controller;
It is corresponding with second example of the application from firewall component request by the software defined network controller The second application signature, wherein second application signature is identical as first application signature;
By the software defined network controller from the application firewall policy library of the software defined network controller Retrieve the application firewall strategy;And
The application firewall strategy is provided from the software defined network controller to the firewall component.
6. according to the method in any one of claims 1 to 3, wherein the application signature identifies the type of the application At least one of or in the version number of the application.
7. according to the method in any one of claims 1 to 3, wherein the application firewall strategy limits the following terms At least one of in:
The application is forbidden to be sent to it one or more network address of network flow;
The application is forbidden to receive from it one or more network address of network flow;
The application is allowed to be sent to it one or more network address of network flow;Or
The application is allowed to receive from it one or more network address of network flow.
8. according to the method in any one of claims 1 to 3, wherein the application be executed in virtual machine it is virtual Using, and wherein, one or more calculate nodes of the data center execute the virtual machine.
9. according to the method in any one of claims 1 to 3, wherein the message includes first message, and the method is also Include:
Second message is sent from the software defined network controller to the firewall component, the second message includes:
The application signature corresponding with the example of the application;And
The application firewall strategy corresponding with the application signature,
Wherein, the second message indicates that the firewall component removes the application corresponding with the example of the application Firewall policy.
10. a kind of software defined network controller of data center, is configured as:
Receive example of the request to initialize application;And
In response to receiving the request, into the software defined network gateway and the data for being located in the data center Firewall component between network outside the heart sends message, and the message includes:
Application signature corresponding with the example of the application;And
Application firewall strategy corresponding with the application signature,
Wherein, the message indicates that the firewall component installs the application firewall strategy to be applied to the institute of the application State the network flow of example.
11. software defined network controller according to claim 10, wherein the software defined network controller is into one Step is configured as:
The application signature corresponding with the example of the application is requested from the firewall component;
It is retrieved from the application firewall policy library of the software defined network controller corresponding with the application signature described Application firewall strategy, the application firewall strategy to be applied to the example of the application network flow.
12. software defined network controller according to claim 11, wherein the software defined network controller is into one Step is configured as:
Determine that the application firewall policy library does not include the application firewall strategy corresponding with the application signature;
Generate the application firewall strategy;And
By the application firewall policy store in the application firewall policy library.
13. software defined network controller according to claim 11 or 12, wherein the software defined network controller It is configured to:
Receive the data for limiting the application firewall strategy;And
By the application firewall policy store in the application firewall policy library.
14. software defined network controller according to claim 11 or 12, wherein the example of the application includes First example of the application, and the application signature corresponding with the example of the application includes and the application Corresponding first application signature of first example, and
Wherein, the software defined network controller is configured to:
Request is received to initialize the second example of the application;
The second application signature corresponding with second example of the application is requested from the firewall component, wherein described Second application signature is identical as first application signature;
The application firewall strategy is retrieved from the application firewall policy library of the software defined network controller;And And
The application firewall strategy is provided to the firewall component.
15. software defined network controller according to any one of claims 10 to 12, wherein the application signature is known At least one of in the type of the not described application or the version number of the application.
16. software defined network controller according to any one of claims 10 to 12, wherein the application firewall Strategy limits at least one of the following:
The application is forbidden to be sent to it one or more network address of network flow;
The application is forbidden to receive from it one or more network address of network flow;
The application is allowed to be sent to it one or more network address of network flow;Or
The application is allowed to receive from it one or more network address of network flow.
17. software defined network controller according to any one of claims 10 to 12, wherein the application is in void The virtual application executed in quasi- machine, and wherein, one or more calculate nodes of the data center execute the virtual machine.
18. software defined network controller according to any one of claims 10 to 12, wherein the message includes the One message, and
Wherein, the software defined network controller is configured to send second message, institute to the firewall component Stating second message includes:
The application signature corresponding with the example of the application;And
The application firewall strategy corresponding with the application signature,
Wherein, the second message indicates that the firewall component removes the application corresponding with the example of the application Firewall policy.
19. a kind of non-transitory computer-readable medium including instruction, described instruction makes to execute software definition when executed The one or more processors of the data center of network controller:
Receive example of the request to initialize application;And
In response to receiving the request, into the software defined network gateway and the data for being located in the data center Firewall component between network outside the heart sends message, and the message includes:
Application signature corresponding with the example of the application;And
Application firewall strategy corresponding with the application signature,
Wherein, the message indicates that the firewall component installs the application firewall strategy to be applied to the institute of the application State the network flow of example.
20. computer-readable medium according to claim 19, wherein described instruction further makes one or more of Processor:
The application signature corresponding with the example of the application is requested from the firewall component;
It is retrieved from the application firewall policy library of the software defined network controller corresponding with the application signature described Application firewall strategy, the application firewall strategy to be applied to the example of the application network flow.
21. computer-readable medium according to claim 20, wherein described instruction further makes one or more of Processor:
Determine that the application firewall policy library does not include the application firewall strategy corresponding with the application signature;
Generate the application firewall strategy;And
By the application firewall policy store in the application firewall policy library.
22. computer-readable medium according to claim 20, wherein described instruction further makes one or more of Processor:
Receive the data for limiting the application firewall strategy;And
By the application firewall policy store in the application firewall policy library.
CN201811443201.3A 2018-02-06 2018-11-29 Method, software defined network controller and medium for applying firewall policy Active CN110120934B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/890,174 US10742607B2 (en) 2018-02-06 2018-02-06 Application-aware firewall policy enforcement by data center controller
US15/890,174 2018-02-06

Publications (2)

Publication Number Publication Date
CN110120934A true CN110120934A (en) 2019-08-13
CN110120934B CN110120934B (en) 2021-10-08

Family

ID=64572126

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811443201.3A Active CN110120934B (en) 2018-02-06 2018-11-29 Method, software defined network controller and medium for applying firewall policy

Country Status (3)

Country Link
US (1) US10742607B2 (en)
EP (1) EP3522485B1 (en)
CN (1) CN110120934B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111193767A (en) * 2019-11-20 2020-05-22 视联动力信息技术股份有限公司 Request data sending method and device and clustered server system
CN112968879A (en) * 2021-02-01 2021-06-15 浪潮思科网络科技有限公司 Method and equipment for realizing firewall management
US20210306276A1 (en) * 2020-03-25 2021-09-30 Juniper Networks, Inc. Network traffic control based on application feature
CN114884667A (en) * 2021-02-05 2022-08-09 ***通信有限公司研究院 Communication authentication method, device and storage medium

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10826823B2 (en) * 2018-07-31 2020-11-03 Facebook, Inc. Centralized label-based software defined network
US11159569B2 (en) * 2018-08-20 2021-10-26 Cisco Technology, Inc. Elastic policy scaling in multi-cloud fabrics
US10826943B2 (en) * 2018-08-21 2020-11-03 At&T Intellectual Property I, L.P. Security controller
US11627049B2 (en) * 2019-01-31 2023-04-11 Hewlett Packard Enterprise Development Lp Failsafe firmware upgrade for cloud-managed devices
US20200314066A1 (en) * 2019-03-29 2020-10-01 Cloudflare, Inc. Validating firewall rules using data at rest
US11165707B2 (en) * 2019-04-12 2021-11-02 Cisco Technology, Inc. Dynamic policy implementation for application-aware routing based on granular business insights
US11546300B2 (en) * 2019-05-07 2023-01-03 Comcast Cable Communications, Llc Firewall system with application identifier based rules
US11627147B2 (en) 2019-05-17 2023-04-11 Charter Communications Operating, Llc Botnet detection and mitigation
US11044193B2 (en) * 2019-08-23 2021-06-22 Vmware, Inc. Dynamic multipathing using programmable data plane circuits in hardware forwarding elements
US11363041B2 (en) * 2020-05-15 2022-06-14 International Business Machines Corporation Protecting computer assets from malicious attacks
US11463343B2 (en) 2020-10-07 2022-10-04 Hewlett Packard Enterprise Development Lp SDWAN overlay routing service
US11595267B2 (en) * 2020-12-22 2023-02-28 Huawei Technologies Co., Ltd. Methods and systems for distributed network verification
CN112769829B (en) * 2021-01-11 2022-10-04 科大讯飞股份有限公司 Deployment method of cloud physical machine, related equipment and readable storage medium
CN114553492B (en) * 2022-01-25 2023-07-07 杭州迪普科技股份有限公司 Cloud platform-based operation request processing method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150082417A1 (en) * 2013-09-13 2015-03-19 Vmware, Inc. Firewall configured with dynamic collaboration from network services in a virtual network environment
US20150326532A1 (en) * 2014-05-06 2015-11-12 At&T Intellectual Property I, L.P. Methods and apparatus to provide a distributed firewall in a network
US20150341377A1 (en) * 2014-03-14 2015-11-26 Avni Networks Inc. Method and apparatus to provide real-time cloud security
CN105531692A (en) * 2012-01-06 2016-04-27 奥普帝奥实验室有限公司 Security policies for loading, linking, and executing native code by mobile applications running inside of virtual machines
US20170324781A1 (en) * 2014-06-30 2017-11-09 Alcatel Lucent Security in software defined network

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9710762B2 (en) 2012-06-06 2017-07-18 Juniper Networks, Inc. Dynamic logging
US9898317B2 (en) 2012-06-06 2018-02-20 Juniper Networks, Inc. Physical path determination for virtual network packet flows
US20150229618A1 (en) * 2014-02-11 2015-08-13 Futurewei Technologies, Inc. System and Method for Securing Source Routing Using Public Key based Digital Signature
US9641435B1 (en) 2014-03-28 2017-05-02 Juniper Neworks, Inc. Packet segmentation offload for virtual networks
KR101535502B1 (en) * 2014-04-22 2015-07-09 한국인터넷진흥원 System and method for controlling virtual network including security function
US20170006082A1 (en) * 2014-06-03 2017-01-05 Nimit Shishodia Software Defined Networking (SDN) Orchestration by Abstraction
US10868737B2 (en) * 2016-10-26 2020-12-15 Arizona Board Of Regents On Behalf Of Arizona State University Security policy analysis framework for distributed software defined networking (SDN) based cloud environments

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105531692A (en) * 2012-01-06 2016-04-27 奥普帝奥实验室有限公司 Security policies for loading, linking, and executing native code by mobile applications running inside of virtual machines
US20150082417A1 (en) * 2013-09-13 2015-03-19 Vmware, Inc. Firewall configured with dynamic collaboration from network services in a virtual network environment
US20150341377A1 (en) * 2014-03-14 2015-11-26 Avni Networks Inc. Method and apparatus to provide real-time cloud security
US20150326532A1 (en) * 2014-05-06 2015-11-12 At&T Intellectual Property I, L.P. Methods and apparatus to provide a distributed firewall in a network
US20170324781A1 (en) * 2014-06-30 2017-11-09 Alcatel Lucent Security in software defined network

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111193767A (en) * 2019-11-20 2020-05-22 视联动力信息技术股份有限公司 Request data sending method and device and clustered server system
CN111193767B (en) * 2019-11-20 2022-07-12 视联动力信息技术股份有限公司 Request data sending method and device and clustered server system
US20210306276A1 (en) * 2020-03-25 2021-09-30 Juniper Networks, Inc. Network traffic control based on application feature
US11303575B2 (en) * 2020-03-25 2022-04-12 Juniper Networks, Inc. Network traffic control based on application feature
CN112968879A (en) * 2021-02-01 2021-06-15 浪潮思科网络科技有限公司 Method and equipment for realizing firewall management
CN112968879B (en) * 2021-02-01 2022-04-12 浪潮思科网络科技有限公司 Method and equipment for realizing firewall management
CN114884667A (en) * 2021-02-05 2022-08-09 ***通信有限公司研究院 Communication authentication method, device and storage medium

Also Published As

Publication number Publication date
US10742607B2 (en) 2020-08-11
US20190245830A1 (en) 2019-08-08
EP3522485A1 (en) 2019-08-07
EP3522485B1 (en) 2021-04-07
CN110120934B (en) 2021-10-08

Similar Documents

Publication Publication Date Title
CN110120934A (en) Method, software defined network controller and the medium of application firewall strategy
US11159487B2 (en) Automatic configuration of perimeter firewalls based on security group information of SDN virtual firewalls
US11683386B2 (en) Systems and methods for protecting an identity in network communications
CN108696402B (en) Session-based traffic statistics logging for virtual routers
US10587698B2 (en) Service function registration mechanism and capability indexing
Halpern et al. Service function chaining (SFC) architecture
CN103930882B (en) The network architecture with middleboxes
CN105765921B (en) For carrying out method, system and the equipment of DIAMETER routing using software defined network function
US9253274B2 (en) Service insertion architecture
CN107770066B (en) Cross-host, cross-VLAN and cross-cluster Docker container diversion method
US10938660B1 (en) Automation of maintenance mode operations for network devices
US11303555B2 (en) Inter-data center software-defined network controller network
CN110392108A (en) A kind of public cloud Network Load Balance system architecture and implementation method
CN106464742A (en) Programmable network platform for a cloud-based services exchange
US20210168198A1 (en) Policy controlled service routing
US11652727B2 (en) Service chaining with physical network functions and virtualized network functions
TW201526588A (en) Methods and systems to split equipment control between local and remote processing units
CN115412492A (en) Policy enforcement for bare metal servers by a top-of-rack switch
Arezoumand End to End Orchestration of Distributed Cloud Applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: California, USA

Applicant after: Juniper Networks, Inc.

Address before: California, USA

Applicant before: Jungle network

GR01 Patent grant
GR01 Patent grant